Throwback: Exchange 2003's Over-promises

"Spam is our e-mail customers' No. 1 complaint today, and Microsoft is innovating on many different fronts to eradicate it," that was Bill Gates' motto in 2004, in order to lure corporate customers to its Exchange 2003 Server. During that time, Microsoft was very busy fixing many bugs in its Exchange 2003 offering. By 2005, they rushed to the door a very critical update, Exchange Server 2003 Service Pack 2. It was not a run-of-the-mill critical flaw patch, but rather includes a new feature that was desperately needed at that time, the Microsoft-made Anti Spam verification framework.

They use the term "Unsolicited Commercial Email problem" to refer to spam email. They have promised new features that will combat spam built-in with Exchange 2003 at that time, but those promises fall on the wayside, fast forward today with Exchange 2016, junk mails are still penetrating user's mailboxes. The Exchange 2003 SP2's Anti Spam Verification system over-promised and under delivered

Anti spam Verification

"With the introduction of Exchange 2003 Server, Microsoft built a framework that included a number of features intended to reduce the volume of spam. The framework called for a solution based on a multi-layered approach around the idea that most if not all spam should be stopped at the gateway, and before reaching the final recipient's mailbox. The adoption of this approach has proven to be very successful and highly effective," the Exchange 2003 claimed in their press release.

According to Microsoft, in 2005, the verification process of Exchange 2003 SP2 blocks roughly 25% of all emails during their internal test. Using a custom-made framework which is composed of:

  1. Configurable exception list that overrides the block list
  2. Custom-tailored server response (DSN) based on the provider and connection initiation source.
  3. Customized rule-based Block List service configuration
  4. Support for multiple Real-Time Block List (also known as DNS Block List) providers (including paid subscriptions)
  5. Global Accept and Deny Lists

Microsoft during that time was very confident of their Exchange 2003 SP2 system, as the company claimed that most parts of it do not face the public Internet. Microsoft had enumerated the default Sender Filtering and Recipient filtering capabilities built-in with Exchange 2003 Service Pack 2 system (below are direct quotes from Microsoft):

Sender Filtering:

  • Sender Filtering allows a list of senders to be specified that are prohibited from sending messages to a particular Exchange organization.
  • Sender Filtering can be easily configured to reject messages originating from certain domains or email addresses.
  • Sender Filtering filters messages with blank sender information and provides a mechanism for spoof detection (e.g. if the message coming from outside the organization claims to be sent from the CEO of organization where Exchange is deployed).
  • Based on the administrator-configurable actions the filter can drop the incoming connection if the Sender's address matches the filter.
  • To minimize information disclosure to malicious users, Sender Filtering can silently accept mail and delete it without notifying the sender.
  • Sender Filtering provides an option for archiving filtered messages for a forensic analysis as needed.

Recipient Filtering:

  • Recipient Filtering enables inbound mail filtering for a particular recipient in the Exchange organization.
  • Recipient Filtering supports blocking mail based on wildcards.  This enables administrators to use patterns to block entire ranges of recipients.
  • Recipient Filtering filters messages sent to non-existent recipients, rejecting them at the protocol level.  By rejecting non- existent recipients at the protocol level (on RFC2821 RCPT TO: command), the Exchange server is protected from doing expensive NDR generation work and clogging the Badmail directory.
  • Enabling filtering of the Recipients who are not in the Directory potentially allows spam senders to discover internal directory information (valid e-mail addresses in the Exchange organization).  A malicious user can execute address book mining by monitoring/parsing the server responses to RCPT TO: commands. To mitigate this threat Exchange 2003 Server SP2 supports SMTP command tarpitting.  An administrator can configure Exchange to implement an n-seconds delay of the server response to the RCPT TO: command if a DHA attack is encountered or if the remote party violates SMTP RFC conformance.  When a malicious user tries to harvest responses the Exchange server significantly slows down its responses (to an admin-defined delay interval) and the attack becomes infeasible.
  • Ability to restrict Distribution List mail submissions to authenticated users only contributes to the Recipient Filtering Framework.
  • Recipient Filtering applies only to anonymous connections so all authenticated identities bypass Recipient Filtering rules.

Unfortunately, Microsoft's efforts were fruitless in the last decade. Spammers are always a step ahead of their new ways to combat spam. Anti spam verification system, even for Exchange 2016 are not enough, people continue to see Viagra adverts in their mailbox on a daily basis. That is why nothing defeats of having a 3rd party anti spam verification system from an industry-recognized brand in the sector of cyber security and privacy, Comodo Anti Spam Gateway.

Depending upon the requirement of the enterprise, Comodo Anti Spam Gateway system is a business anti spam verification solution which can be entirely cloud-based, hosted remotely, but connected to your mail server using a high speed network connection in your own office network itself.

Comodo Anti Spam Gateway, anti spam verification is a multi-tier system for fighting junk emails. Depending upon the requirement of the enterprise, Comodo anti spam gateway is a business anti spam verification software which can be entirely cloud-based, hosted in the cloud, but connected to your mail server or a hardware appliance located in your own office network itself. Such business anti spam verification software, prevents delays from email sending and receiving, in contrast to a software-based anti spam verification software that runs on the mail server that interferes with the operation of the latter in real time.

Comodo Anti Spam Gateway as an anti spam verification is light on system resources. The anti spam verification from Comodo guarantees to not consume any resources from the mail server, as it is a hosted anti spam verification in the cloud. As a hosted service, Comodo's anti spam verification has a contractual obligation to provide a bundled level of free support with the anti spam verification during the license period, serving as an all-in-one anti spam verification technology for any organizations large and small. Comodo Anti Spam Gateway is a better solution than Exchange's anti spam verification system.

FREE TRIAL |

Start Your 30-Day Free Trial Now

The anti spam verification used by your enterprise right now may not be able to cover the future requirement for anti spam verification. Comodo Anti Spam Gateway is the answer. The first two anti spam verification measures are to immunize and harden the email server, as it runs a background process monitoring the email exchange to and from the Internet. These days spammers have all the tools at their disposal to bypass anti spam verification measures, but Comodo offers comprehensive database, a much-needed remedy against spam in the enterprise, regardless if they are large or a start-up. Try Comodo Anti Spam Gateway today!